The Schellman Blog

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data. One of the key (and almost always applicable) requirements of PCI DSS is that organizations must perform internal and external penetration testing for the entire scoped environment—this not only applies to systems that store, process, or transmit cardholder data, but also those that can impact the security of cardholder data.

Over the past couple of years, HITRUST has expanded exponentially to become an all-encompassing certification that can be achieved by a wide variety of industries and organizations. When HITRUST endeavored to become more accessible to more institutions, they introduced alternatives to the now-typical 2-year (r2) certification.

Though the timeline of a completed report varies greatly based on numerous factors within your organization, a SOC 1 examination generally always moves through the same three phases of planning and preparation, fieldwork, and reporting stages.

If you’ve ever owned a home in a neighborhood that has a homeowners association, you likely know that you have to pay those fees to avoid a lien being placed on your property, which could complicate your life in annoying ways. But on the flip side, paying those fees should mean you also reap the benefits like landscaping, community pool management, security, or maintenance.

With the new SEC Cybersecurity Disclosure Rule requiring both the reporting of material cybersecurity events and the disclosure of cybersecurity programs for public companies, those affected are taking a closer look at cybersecurity frameworks that—while previously considered optional or “nice to have”—could help their organization meet the new regulatory requirements.

Among the many changes in the new PCI DSS v4.0 are those regarding requirement 11.4.4, which refers to the remediation of "exploitable vulnerabilities" and "security weaknesses”—though history has more clearly established what is meant by the former, there may be some confusion concerning the latter as organizations continue to make the transition to the new version.

Now that artificial intelligence (AI) has more fully engrained itself into the digital world and economy, it makes sense that the American Institute of Certified Public Accountants (AICPA)—as the organization that sets the most recognized auditing standards in the U.S.—would have an opinion on AI use, particularly in terms of the possibility of related SOC-compliance issues.

The National Institute of Standards and Technology (NIST) has made a significant move in introducing its groundbreaking AI Risk Management Framework (AI RMF). Designed to empower organizations and individuals with comprehensive risk management guidance, the AI RMF aims to create a world where AI can thrive responsibly.